The DOL Issues Important Cybersecurity Guidance
The Department of Labor (DOL) has issued a helpful, practical, and very detailed set of guidance aimed at the many cybersecurity risks present in today’s retirement plan industry. Although much of the guidance comes in “list form” tailor-made for RFPs, RFIs, and other due diligence exercises, the preliminary step for fiduciaries is to become familiar with the structure and recurring themes of the guidance.
Fiduciaries: Cybersecurity Should Matter to You. The guidance package includes a News Release and three distinct guidance pieces with a “tips” and “best practices” feel: (1) Tips for Hiring a Service Provider; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips. Within the package, the DOL sends strong signals to fiduciaries with the following statements:
- “ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.”
- “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combating cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”
- “Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.”
The message from the DOL is clear: it expects fiduciaries to consider cybersecurity risks within the scope of their fiduciary responsibilities.
Tips for Hiring a Service Provider. The first set of tips begins with the DOL’s insistence that plan sponsors “should use service providers that follow strong cybersecurity practices.” The DOL then lays out six tips for plan sponsors of all sizes, which, in overly general terms suggest that fiduciaries should:
- Compare a service provider’s security standards, practices, and policies to industry standards adopted by other organizations;
- Inquire into the validation process and levels of security standards;
- Evaluate the track record around data security;
- Ask about past security breaches and organization responses;
- Inquire into insurance coverage; and
- Pursue contractual assurances of compliance with cybersecurity and information security standards.
Cybersecurity Program Best Practices. The second set provides a list of 12 best practices for recordkeepers and other service providers responsible for plan-related IT systems and data. Those best practices suggest that service providers have in place:
- A formal, well-documented cybersecurity program;
- Prudent annual risk assessments;
- A reliable annual third-party audit of security controls;
- Clearly defined information security roles and responsibilities;
- Strong access control procedures;
- A process for reviewing security of assets or data stored in a cloud or managed by a third party service provider;
- Periodic cybersecurity awareness training;
- A secure system development life cycle (SDLC) program;
- An effective business resiliency program;
- Encrypted sensitive data, stored and in transit;
- Strong technical controls; and
- A track record of appropriately responding to past incidents.
Online Security Tips. The final set of tips is intended for consumption by participants and beneficiaries. At the risk of being too informal, we note that it’s pretty cool for a governmental agency to produce content like this that is practical and intended to be easily understood and used by participants. The DOL’s approach is also helpful because it pulls together many suggestions we hear in our every-day-internet-driven lives – like “use multi-factor authentication” and “beware of phishing attacks” – and places them squarely in the retirement plan context.
Closing Thoughts. We’re going to do more work around this DOL guidance. Please be sure to join us for the upcoming Fiduciary 15 webinar in which we will elaborate on the practical implications for fiduciaries. Then stay tuned as we roll out additional participant education offerings around the DOL’s tips, update our recordkeeper RFP processes to include a deeper dive into cybersecurity protections, and continue to ensure our firm’s processes and safeguards would meet the DOL’s expectations.